On Windows Server 2008 R2, one must specify a user for each scheduled task to run under.
We have a policy whereby each domain user must change their password every 30 days.
This creates a problem, as we have many scheduled tasks that need to run on a large number of servers. When the user associated with a given scheduled task's changes his/her password (as required every 30 days), the tasks all stop working (until you log in and change the password on the task).
We tried to run the scheduled tasks under the SYSTEM account but this did not work.
I have thought of creating a new account (SCHED_TASK) that can not log in interactively, is an administrator, and is exempted from the password change requirements.
This seems very much a "hack" to me. Is there a better way or a built in account of some sort that we should use?
What is the best practice in this instance?
In AD you can set "Password Never Expires" (Account Tab) on the service account.
You should still be able to run it as SYSTEM. I have a few AT commands in a batch script for scheduled reboots and such. Just make sure that you "run them as administrator" or they will never run.
Turns out SYSTEM account is the way to go. Another admin here had put some limits on the SYSTEM accounts that were stopping the processes from running. By removing these additional (not present out of the box) security settings everything now works fine.
And the SYSTEM account does not even have password, so it can't expire etc.